this post was submitted on 24 Jun 2023
164 points (96.6% liked)

Lemmy

12508 readers
1 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to [email protected].

founded 4 years ago
MODERATORS
 

See THIS POST

Notice- the 2,000 upvotes?

https://gist.github.com/XtremeOwnageDotCom/19422927a5225228c53517652847a76b

It's mostly bot traffic.

Important Note

The OP of that post did admit, to purposely using bots for that demonstration.

I am not making this post, specifically for that post. Rather- we need to collectively organize, and find a method.

Defederation is a nuke from orbit approach, which WILL cause more harm then good, over the long run.

Having admins proactively monitor their content and communities helps- as does enabling new user approvals, captchas, email verification, etc. But, this does not solve the problem.

The REAL problem

But, the real problem- The fediverse is so open, there is NOTHING stopping dedicated bot owners and spammers from...

  1. Creating new instances for hosting bots, and then federating with other servers. (Everything can be fully automated to completely spin up a new instance, in UNDER 15 seconds)
  2. Hiring kids in africa and india to create accounts for 2 cents an hour. NEWS POST 1 POST TWO
  3. Lemmy is EXTREMELY trusting. For example, go look at the stats for my instance online.... (lemmyonline.com) I can assure you, I don't have 30k users and 1.2 million comments.
  4. There is no built-in "real-time" methods for admins via the UI to identify suspicious activity from their users, I am only able to fetch this data directly from the database. I don't think it is even exposed through the rest api.

What can happen if we don't identify a solution.

We know meta wants to infiltrate the fediverse. We know reddits wants the fediverse to fail.

If, a single user, with limited technical resources can manipulate that content, as was proven above-

What is going to happen when big-corpo wants to swing their fist around?

Edits

  1. Removed most of the images containing instances. Some of those issues have already been taken care of. As well, I don't want to distract from the ACTUAL problem.
  2. Cleaned up post.
(page 2) 50 comments
sorted by: hot top controversial new old
[–] [email protected] 3 points 1 year ago (1 children)

Lol well it was fun while it lasted! Man there are some really greedy assholes out there.

load more comments (1 replies)
[–] [email protected] 2 points 1 year ago (1 children)

the problem is that activity pub is dumb and bad

load more comments (1 replies)
[–] [email protected] 2 points 1 year ago (1 children)

This is troubling.

At least we have the data though, hopefully these findings are useful for updating the Fediseer/Overseer so we can more easily detect bots

[–] [email protected] 2 points 1 year ago (4 children)

I really wish we would have a good data scientist, or ML individual jump in this thread.

I can easily dig through data, I can easily dig through code- but, someone who could perform intelligent anomaly detection would be a god-send right now.

load more comments (4 replies)
[–] [email protected] 2 points 1 year ago (1 children)

If Twitter can't avoid bots how will the fediverse avoid it, using some captcha maybe?

[–] [email protected] 2 points 1 year ago (1 children)

The only thing I can think of, which would probably be wildly unpopular, is ID checking.

Or perhaps SMS based 2FA on each account, which needs to be reconfirmed monthly?

Perhaps also rate limiting per account.

[–] [email protected] 1 points 1 year ago

That feel pretty much the only way you can easily filter bot out.

The best ID to check would be a government ID or a bank account ID. The gov/bank are absolutely crazy about making sure that someone is really someone.

Unfortunately, this is incompatible with anonymity, unless we trust the instance admin.

I really like the SMS thing.

[–] [email protected] 1 points 1 year ago (1 children)

If you always had e-mail verification turned on then you can get rid of some of these junk sign-ups relatively easy, I wrote a guide for it here: https://lemdit.com/post/16430

From what I've seen, most of the bot sign-ups that are swelling instance User numbers wouldn't have passed e-mail verification. I think it was done mostly to prove a point, rather than an attempt to actually use those accounts.

Instances that didn't have e-mail verification turned on are in a much harder spot.

[–] [email protected] 1 points 1 year ago

I have a kubernetes cronjob, which automatically cleans those up every few days.

Along- with one that cleans up the activity table.

[–] [email protected] 1 points 1 year ago

Hey look, it's me in the picture! What a waste of my 15 minutes of fame

[–] [email protected] 1 points 1 year ago

IMO long term Lemmy needs to move away from upvotes as a measure of interest and activity. That's too easy to manipulate.

Perhaps comment activity and interaction metrics would be better.

load more comments
view more: ‹ prev next ›